The onkstore Utility

Use the onkstore utility to create and manage password stash files for use with storage space encryption and the integrated backup encryption features.

The onkstore utility will create a password stash file in the $ONEDB_HOME/etc directory by default, but this file may be created and used from any location accessible by the database server as long as that directory has secure permissions.

With its informix/informix ownership and 600 permissions, the password stash file can be read only by users root or informix in UNIX/Linux and the creator of the keystore in Windows. In addition, the file is itself encrypted using a password. The admin must specify this keystore password when creating the password stash file. By default that password will be stored (as an obfuscated value) in a stash file along side the password stash file. Do not remove the stash file or allow it to be separated from the password stash file. If you do not want the password to be stashed, use the option "-nostash" when creating the keystore. In that case the password may be supplied interactively to oninit and utilities such as oncheck, onlog, or onbar.

The onkstore utility can create different types of password stash files. A password stash file can contain either:
  1. A Master Encryption Key (MEK) that is used as a “seed? by the server to encrypt storage spaces when using it with the Storage Space Encryption feature.
  2. A set of credentials to access a Remote Key Server that stores the Master Encryption Key for the Storage Space Encryption (DISK_ENCRYPTION configuration parameter) or a set of credentials to access a Remote Key Server that stores the Remote Master Encryption Key used by the Integrated Backup Encryption feature (BAR_ENCRYPTION configuration parameter).

The onkstore utility has the following usage:

Table 1. onkstore usage
-file <fn> name of keystore to create/list/convert.
-type

type of keystore to create: local, AWS-EAR, AWS-BAR, KMIP, AZURE-EAR, AZURE-BAR
-create create a new keystore. By default stash the password in a stash file. Use option "-nostash" if this is not desired.
-pw <fn>

file with cleartext keystore password. If not provided and the password is not stashed already, it is prompted for interactively.
-list list the contents of the file.
-cipher

cipher the server will use: aes128, aes192, aes256
-credential <fn> file that contains credentials in json format.
-pw [<fn>]

Current password for the keystore, supplied either interactively or in a file.
-verify verify the keystore.
-convert convert keystore from one type to another.
-changepw [<fn>] change the password for the keystore.
-nostash upon creation of a keystore do not stash the password.
-help print this message.
Note: -pw is not needed if your password is stashed.
Use the onkstore utility to perform the following tasks: